Starship/CoreID
1
0
Fork 0
Code Issues 8 Pull Requests Releases 34 Wiki Activity
7f1c9ec9a8
CoreID/app/models/auth/User.model.js
garrettmills 97096f619f
All checks were successful
continuous-integration/drone/push Build is passing
Details
Make UID case-insensitive
2020-10-18 23:27:23 -05:00

252 lines
7.2 KiB
JavaScript
Raw Blame History

const AuthUser = require('flitter-auth/model/User')
const LDAP = require('ldapjs')
const ActiveScope = require('../scopes/ActiveScope')
const MFAToken = require('./MFAToken.model')
const PasswordReset = require('./PasswordReset.model')
const AppAuthorization = require('./AppAuthorization.model')
const AppPassword = require('./AppPassword.model')
const uuid = require('uuid').v4
const NotifyConfig = require('../system/NotifyConfig.model')
/*
* Auth user model. This inherits fields and methods from the default
* flitter-auth/model/User model, however you can override methods and
* properties here as you need.
*/
class User extends AuthUser {
static get services() {
return [...super.services, 'auth', 'ldap_server', 'configs', 'models', 'app']
}
static get schema() {
return {...super.schema, ...{
// other schema fields here
first_name: String,
last_name: String,
tagline: String,
email: String,
ldap_visible: {type: Boolean, default: true},
active: {type: Boolean, default: true},
mfa_token: MFAToken,
password_resets: [PasswordReset],
app_passwords: [AppPassword],
app_authorizations: [AppAuthorization],
mfa_enabled: {type: Boolean, default: false},
mfa_enable_date: Date,
create_date: {type: Date, default: () => new Date},
photo_file_id: String,
trap: String,
notify_config: NotifyConfig,
}}
}
async photo() {
const File = this.models.get('upload::File')
return File.findById(this.photo_file_id)
}
has_authorized(client) {
return this.app_authorizations.some(x => x.client_id === client.id)
}
get_authorization(client) {
for ( const auth of this.app_authorizations ) {
if ( auth.client_id === client.id )
return auth
}
}
authorize(client) {
if ( !this.has_authorized(client) ) {
const client_rec = new AppAuthorization({
client_id: client.id,
api_scopes: client.api_scopes,
}, this)
this.app_authorizations.push(client_rec)
} else {
const client_rec = this.get_authorization(client)
client_rec.api_scopes = client.api_scopes
}
}
async to_api() {
return {
id: this.id,
uid: this.uid,
first_name: this.first_name,
last_name: this.last_name,
email: this.email,
tagline: this.tagline,
trap: this.trap,
group_ids: (await this.groups()).map(x => x.id),
}
}
static scopes = [
new ActiveScope({})
]
static async ldap_directory() {
return this.find({ldap_visible: true})
}
// TODO just in case we need this later
get can_login() {
return true
}
async sessions() {
const Session = require('../Session')
this.app.di().inject(Session)
return Session.find({ 'session.auth.user_id': this.id })
}
async kickout() {
// TODO handle SAML session participants
const sessions = await this.sessions()
for ( const session of sessions ) {
delete session.session.auth
delete session.session.mfa_remember
await session.save()
}
}
// Prefer soft delete because of the active scope
async delete() {
this.active = false
await this.save()
}
async check_password(password) {
return this.get_provider().check_user_auth(this, password)
}
async check_app_password(password) {
for ( const pw of this.app_passwords ) {
if ( await pw.verify(password) ) return true
}
return false
}
async reset_password(new_password, reason = 'user') {
const reset = new PasswordReset({
reason,
old_hash: this.password,
}, this)
await reset.set_hash(new_password)
this.password = reset.hash
this.password_resets.push(reset)
return reset
}
async app_password(name) {
const gen = uuid().replace(/-/g, '')
const pw = new AppPassword({ name }, this)
await pw.set_hash(gen)
this.app_passwords.push(pw)
return { password: gen, record: pw }
}
async groups() {
const Group = this.models.get('auth:Group')
return Group.find({ active: true, user_ids: this.id })
}
async oidc_sessions() {
const Session = this.models.get('openid:Session')
return Session.find({ 'payload.account': this.id })
}
async logout(request) {
for ( const session of (await this.oidc_sessions()) ) {
await session.delete()
}
this.get_provider().logout(request)
}
async to_ldap(iam_targets = []) {
const Policy = this.models.get('iam:Policy')
const ldap_data = {
uid: this.uid.toLowerCase(),
uuid: this.uuid,
cn: this.first_name,
sn: this.last_name,
gecos: `${this.first_name} ${this.last_name}`,
mail: this.email,
objectClass: ['inetOrgPerson', 'person'],
entryuuid: this.uuid,
entryUUID: this.uuid,
objectGuid: this.uuid,
}
if ( this.tagline ) ldap_data.extras_tagline = this.tagline
const addl_data = JSON.parse(this.data)
for ( const key in addl_data ) {
if ( !addl_data.hasOwnProperty(key) || !key.startsWith('ldap_') ) continue
ldap_data[`data${key.substr(4)}`] = `${addl_data[key]}`
}
const groups = await this.groups()
if ( groups.length > 0 ) {
const group_data = groups.map(x => x.dn.format(this.configs.get('ldap:server.format')))
ldap_data.memberOf = group_data
ldap_data.memberof = group_data
}
const iamtarget = []
for ( const target_id of iam_targets ) {
if ( await Policy.check_user_access(this, target_id) ) {
iamtarget.push(target_id)
}
}
ldap_data.iamtarget = iamtarget
return ldap_data
}
get dn() {
return LDAP.parseDN(`uid=${this.uid.toLowerCase()},${this.ldap_server.auth_dn().format(this.configs.get('ldap:server.format'))}`)
}
// The following are used by OpenID connect
async claims(use, scope) {
return {
sub: this.id,
email: this.email,
email_verified: true, // TODO
family_name: this.last_name,
given_name: this.first_name,
locale: 'en_US', // TODO
name: `${this.first_name} ${this.last_name}`,
preferred_username: this.uid.toLowerCase(),
username: this.uid.toLowerCase(),
}
}
static async findByLogin(login) {
return this.findOne({
active: true,
uid: login.toLowerCase(),
})
}
static async findAccount(ctx, id, token) {
return this.findById(id)
}
get accountId() {
return this.id
}
}
module.exports = exports = User
Reference in New Issue View Git Blame Copy Permalink